Why PCI DSS Matters Even When You Never Touch a Credit Card Number
Every fintech founder has the same reaction when PCI DSS first comes up: "We use Stripe. We never see card numbers. Why do we need to worry about this?" It is a reasonable question with an inconvenient answer -- you still have compliance obligations, and ignoring them creates both legal liability and real security risk.
PCI DSS v4.0, which became the only accepted standard after March 2025, applies to any entity that stores, processes, or transmits cardholder data, or that could affect the security of a cardholder data environment. That second clause is what catches most fintechs. If your web application serves the page containing a Stripe payment form, your application is in scope. If your infrastructure could be compromised to inject malicious JavaScript that skims card data, you have PCI obligations.
The good news: PCI DSS was designed with proportionality in mind. A 15-person fintech that uses Stripe Elements does not face the same requirements as JPMorgan Chase. The trick is understanding which requirements apply to you and building compliance efficiently from the start, rather than retrofitting it later when a partner or acquirer demands your Attestation of Compliance.
The real cost of ignoring PCI: Beyond fines of $5,000 to $100,000 per month from card brands, a PCI violation after a breach means your payment processing privileges can be revoked. For a fintech, that is not a fine -- it is an extinction event.
Understanding SAQ Types: Choosing the Right Assessment for Your Architecture
The Self-Assessment Questionnaire (SAQ) is where most fintech startups begin their PCI journey. Your payment architecture determines which SAQ you need, and that choice has massive implications for cost and effort. For a complete breakdown of all SAQ types, see our PCI DSS SAQ types guide.
| SAQ Type | Who It Applies To | Requirements | Typical Fintech Use Case |
|---|---|---|---|
| SAQ A | Fully outsourced payment page via iframe or redirect | 22 requirements | Stripe Checkout, PayPal hosted buttons, Adyen Drop-in |
| SAQ A-EP | E-commerce merchants whose website impacts payment page security | ~139 requirements | Stripe Elements on your page, custom JS alongside payment form |
| SAQ D (Merchant) | Merchants that store, process, or transmit cardholder data | ~300+ requirements | Fintech with card vault, custom payment gateway integration |
| SAQ D (SP) | Service providers handling cardholder data on behalf of others | ~300+ requirements | Payment facilitator, issuer processor, BaaS provider |
SAQ A: The Target for Most Early-Stage Fintechs
If you can architect your payment flow so that your servers never receive, process, or serve the payment page, SAQ A is your goal. With only 22 requirements, this is the lightest compliance burden available. The critical architectural requirement is that the entire payment form must be served from your payment processor's domain via an iframe or full-page redirect.
Under PCI DSS v4.0, SAQ A now includes requirement 6.4.3, which mandates an inventory and integrity verification of all scripts loaded on your payment pages. Even with a fully hosted payment page, you need to document and monitor any JavaScript on the parent page that contains the iframe.
SAQ A-EP: Where Most Fintechs Actually Land
Here is the uncomfortable truth: most fintech startups using Stripe Elements, Braintree Drop-in UI, or similar client-side integrations actually need SAQ A-EP, not SAQ A. The distinction comes down to whether your application code runs on the same page as the payment form.
If you embed Stripe Elements into your React checkout page, your application JavaScript runs alongside the payment form. A cross-site scripting vulnerability in your application could theoretically be exploited to skim card data before it reaches Stripe. That shared page context is what pushes you from SAQ A to SAQ A-EP.
SAQ A-EP adds significant requirements around:
- Web application security -- vulnerability scanning, web application security testing, and secure development practices
- Network security -- firewall rules, network segmentation, and traffic monitoring
- Access control -- role-based access, MFA, and privileged account management
- Logging and monitoring -- audit trails and centralized logging per Requirement 10
Scope Reduction: The Single Most Important Strategy for Fintech PCI Compliance
Every PCI control you do not need to implement is time and money saved. Scope reduction is not about avoiding security -- it is about concentrating your security investment on the systems that actually matter for payment data protection.
Tokenization: Replace Card Data With Tokens Everywhere
If your application needs to reference a customer's payment method after the initial transaction, use your processor's tokenization service rather than storing card data. Stripe's Customer and PaymentMethod objects, for example, let you charge cards, set up subscriptions, and manage payment methods without ever seeing a card number. For a deeper dive, see our guide on PCI DSS tokenization and scope reduction.
Tokenization removes your database, application servers, and backup systems from PCI scope. The cost savings are dramatic -- SAQ D requires encryption key management, data retention policies, and quarterly internal vulnerability scans across all systems that touch cardholder data.
Network Segmentation: Isolate What You Cannot Eliminate
If any part of your infrastructure must handle payment-adjacent functions, segment those systems into a dedicated network zone with strict access controls. This limits your Cardholder Data Environment (CDE) to the smallest possible footprint. Everything outside the CDE boundary has reduced or eliminated PCI obligations.
For cloud-native fintechs, segmentation typically means:
- Separate VPCs or subnets for payment-related services
- Security groups that restrict traffic to only necessary ports and protocols
- Dedicated IAM roles with least-privilege access for payment service accounts
- Separate logging and monitoring pipelines for in-scope systems
- Container isolation if using microservices -- payment containers in their own namespace
Cloud Provider Shared Responsibility
AWS, GCP, and Azure all maintain PCI DSS compliance for their infrastructure layer. This means you inherit their physical security, hypervisor security, and network infrastructure controls. Make sure you obtain and reference your cloud provider's Attestation of Compliance (AOC) in your own assessment. For cloud-specific guidance, see our PCI DSS cloud compliance guide.
Common Fintech PCI Pitfalls We See Repeatedly
After working with dozens of fintech startups on PCI compliance through our fintech security assessments, these are the mistakes we encounter most frequently.
- Logging card data in application logs -- Your error logging catches the full HTTP request body, including card numbers submitted through a fallback form handler. Check your logs now. Grep for patterns matching card number formats
- Developer environment access to production payment data -- Developers use production API keys in staging because "it is easier." This puts every developer laptop and staging server in PCI scope
- Forgetting about support tools -- Customer support agents view card data through admin dashboards, CRM integrations, or support ticket screenshots. These systems are now in scope
- Third-party scripts on payment pages -- Analytics, chat widgets, A/B testing tools, and marketing pixels loaded on your checkout page can all access payment form data. PCI DSS v4.0 requirement 6.4.3 explicitly requires inventory and integrity monitoring of all page scripts
- Assuming your payment processor handles everything -- Stripe's PCI compliance covers Stripe. It does not cover your servers, your code, your access controls, or your employees
- No vulnerability scanning program -- PCI requires quarterly ASV scans for external-facing systems and regular vulnerability scanning of internal systems in scope
- Ignoring requirement 12 -- Information security policies are not optional. You need documented policies covering acceptable use, incident response, vendor management, and employee security awareness
Real-world example: We assessed a Series B fintech that used Stripe Elements and assumed SAQ A applied. Their checkout page loaded 14 third-party JavaScript libraries, their error logging captured full request bodies including card data from a legacy form handler, and three support agents had screenshot-level access to card details through Zendesk. They actually needed SAQ D with a significant remediation effort before they could certify.
PCI DSS v4.0 Requirements That Hit Fintechs Hardest
PCI DSS v4.0 introduced several requirements that disproportionately affect fintech startups. These went from best practices to mandatory requirements as of March 31, 2025, and many organizations are still catching up. For the full timeline, see our PCI DSS v4.0 compliance deadline guide.
Requirement 6.4.3: Script Inventory and Integrity
Every script loaded on your payment pages must be inventoried, authorized, and have its integrity verified. This means implementing Subresource Integrity (SRI) hashes or Content Security Policy (CSP) headers for all JavaScript, and maintaining a documented list of every script with a business justification for its presence.
For fintechs running React or Next.js applications, this is particularly challenging because build tools generate new script hashes with every deployment. You need automated tooling to update your CSP headers and SRI hashes as part of your CI/CD pipeline.
Requirement 8.3.6: Password Complexity Increases
Minimum password length increased to 12 characters (from 7), and passwords must contain both numeric and alphabetic characters. If your application uses password-based authentication for admin panels or internal tools that touch payment data, you need to update your password policies and enforce them technically.
Requirement 11.6.1: Change Detection for Payment Pages
You must implement a change-and-tamper-detection mechanism for payment pages. This goes beyond traditional file integrity monitoring -- you need to detect unauthorized modifications to HTTP headers and the content of payment pages as received by the consumer's browser. This effectively requires client-side monitoring or synthetic testing of your payment pages.
A Realistic Timeline to PCI Compliance for Fintechs
Here is what a realistic path to PCI compliance looks like for a fintech startup, broken down by SAQ type.
SAQ A Timeline: 4 to 8 Weeks
- Week 1-2: Architecture review and scope validation -- confirm your payment integration truly qualifies for SAQ A
- Week 2-3: Script inventory for payment pages (requirement 6.4.3), implement CSP headers
- Week 3-4: Document information security policies, acceptable use policy, and incident response plan
- Week 4-6: Complete SAQ A questionnaire, remediate any gaps identified
- Week 6-8: ASV scan, final review, submit Attestation of Compliance
SAQ A-EP Timeline: 8 to 16 Weeks
- Week 1-3: Scope assessment, network diagram, data flow mapping for payment transactions
- Week 3-6: Implement security controls -- access management, logging, encryption, vulnerability management
- Week 6-8: Penetration testing of in-scope web applications and infrastructure
- Week 8-12: Remediate penetration test findings, tune monitoring and alerting
- Week 12-16: Complete SAQ A-EP, ASV scan, internal scan, submit AOC
SAQ D or ROC Timeline: 6 to 12 Months
If your fintech stores, processes, or transmits cardholder data directly, you are looking at a significant compliance program. Most startups at this level should engage a Qualified Security Assessor (QSA) early and consider whether architectural changes could reduce your scope to SAQ A-EP. The cost of re-architecting is almost always less than the ongoing cost of SAQ D compliance.
Building PCI Into Your Development Lifecycle
The fintechs that handle PCI most efficiently treat it as part of their engineering culture rather than an annual compliance exercise. Here is how to embed PCI requirements into your development workflow.
Secure Development Practices (Requirement 6)
PCI DSS v4.0 Requirement 6 mandates secure development practices including code review, developer training, and vulnerability management. For fintech engineering teams, this means:
- Code review for security -- Every PR that touches payment flows or in-scope systems should include a security-focused code review
- Dependency management -- Automated scanning for vulnerable dependencies in your payment-related services, with defined SLAs for patching critical vulnerabilities
- Separate environments -- Production payment credentials must never appear in development, staging, or CI/CD environments. Use test mode keys and document the separation
- Security training -- Developers working on payment features need annual security awareness training with PCI-specific content
Automating PCI Evidence Collection
Manual evidence collection for PCI compliance is unsustainable for fast-moving fintech teams. Invest in automation early. Platforms like Vanta, Drata, and Secureframe integrate with your cloud providers and development tools to automatically collect evidence for many PCI requirements. For more on this approach, see our compliance automation guide.
Cost perspective: A compliance automation platform costs $10,000 to $25,000 per year. A QSA engagement for SAQ D costs $30,000 to $80,000 per assessment. Automation pays for itself within the first assessment cycle by reducing QSA hours and eliminating last-minute evidence scrambles.
When Your Fintech Outgrows Self-Assessment
As your fintech scales, there are natural inflection points where your PCI compliance approach needs to evolve.
- Processing over 6 million transactions annually -- You move from SAQ to a Report on Compliance (ROC) with an on-site QSA assessment. Plan for this transition well before you hit the threshold
- Becoming a payment facilitator (PayFac) -- If you onboard sub-merchants, you take on responsibility for their PCI compliance as well. This is a fundamentally different compliance posture
- Enterprise customer requirements -- Large customers may require your AOC, and some require a ROC regardless of your transaction volume. Having robust PCI controls accelerates enterprise sales
- Regulatory expansion -- If you add banking, lending, or insurance products, PCI becomes one layer in a multi-framework compliance program alongside SOC 2, ISO 27001, and industry-specific regulations
The key is to build your PCI program on a foundation that scales. The controls you implement for SAQ A-EP -- secure development, access management, logging, vulnerability management -- are the same controls you need for SOC 2, ISO 27001, and other frameworks. Building them well once is far cheaper than rebuilding them for each new compliance requirement.
Need PCI DSS Compliance Support for Your Fintech?
Lorikeet Security's Compliance Package ($42,500/yr) includes PCI DSS readiness assessments, penetration testing, and ongoing audit support designed for growing fintechs. We help you find the shortest path to compliance without over-engineering your controls.
